General
-
Target
TOP-010122 HTGW-210122.xls
-
Size
70KB
-
Sample
220121-sfrqmahhc5
-
MD5
54a404bdf97dec3861e86661501de08f
-
SHA1
d265c805ce856e563e54b014495ac663c9181d3c
-
SHA256
8a07b30e84df7c4db85691e055e4f39fb78621392b7a282b3b64d13a675e14b1
-
SHA512
09a4bcb74c1018711277aea44df07a25b751903bf97b27ecb16e30acfb9563219ec1c0f3d654095e8f8bc14224dcbd5247b8520bdb13fdb2ee7740049a647bc8
Behavioral task
behavioral1
Sample
TOP-010122 HTGW-210122.xls
Resource
win7-en-20211208
Malware Config
Extracted
http://0xb907d607/fer/fe2.html
Extracted
http://185.7.214.7/fer/fe2.png
Extracted
emotet
Epoch4
131.100.24.231:80
209.59.138.75:7080
103.8.26.103:8080
51.38.71.0:443
212.237.17.99:8080
79.172.212.216:8080
207.38.84.195:8080
104.168.155.129:8080
178.79.147.66:8080
46.55.222.11:443
103.8.26.102:8080
192.254.71.210:443
45.176.232.124:443
203.114.109.124:443
51.68.175.8:8080
58.227.42.236:80
45.142.114.231:8080
217.182.143.207:443
178.63.25.185:443
45.118.115.99:8080
103.75.201.2:443
104.251.214.46:8080
158.69.222.101:443
81.0.236.90:443
45.118.135.203:7080
176.104.106.96:8080
212.237.56.116:7080
216.158.226.206:443
173.212.193.249:8080
50.116.54.215:443
138.185.72.26:8080
41.76.108.46:8080
212.237.5.209:443
107.182.225.142:8080
195.154.133.20:443
162.214.50.39:7080
110.232.117.186:8080
Targets
-
-
Target
TOP-010122 HTGW-210122.xls
-
Size
70KB
-
MD5
54a404bdf97dec3861e86661501de08f
-
SHA1
d265c805ce856e563e54b014495ac663c9181d3c
-
SHA256
8a07b30e84df7c4db85691e055e4f39fb78621392b7a282b3b64d13a675e14b1
-
SHA512
09a4bcb74c1018711277aea44df07a25b751903bf97b27ecb16e30acfb9563219ec1c0f3d654095e8f8bc14224dcbd5247b8520bdb13fdb2ee7740049a647bc8
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Drops file in System32 directory
-